openssl @1.1.1l: update to 3.0.0

[l2dy (Zero King)]

Finally we can change its license to Apache-2 and resolve some license conflicts.

This is a major release and requires revbump of dependent ports. ​https://github.com/openssl/openssl/blob/openssl-3.0.0/doc/man7/migration_guide.pod

[kencu (Ken)]

Well, WHOO HOO! A LOT of pointless headaches with non-distributable software are about to disappear.

[neverpanic (Clemens Lang)]

Unfortunately this will probably mean providing a copy of openssl 1.1 in a separate subfolder for a while, even though OpenSSL 3.0 is really careful in not removing anything. I have a local Portfile of this that seems to work and have tested that curl builds fine against it, but no further steps than that at the moment.

[kencu (Ken)]

luckily there is already a process in place for a separate openssl 1.0 so that can hopefully be leveraged to to support 1.1 easily.

[reneeotten (Renee Otten)]

is anyone working on this and/or what's the plan moving forward?

I suppose a similar approach as with the boost ports can be taken here? In other words, copy the current openssl port to openssl11 and have it install in a separate location (just as is done in the openssl10 port; have the new openssl3 do the same. (I would think we probably don't need to have openssl3Y ports for every new version, so probably naming the new port openssl3 would be okay?) Then create an openssl PortGroup starting from the old_openssl PG to allow for selecting a certain version and setup things automatically as is done in the boost PG.

Once that is in place ports can be transitioned to use the openssl PortGroup, which should probably default to version 1.1.1. After that I guess maintainers can check whether the port builds with the latest openssl and move to that version? Anything missing in that proposal or concerns? Clemens: if you have a working port for openssl3 that installs in a separate location you could already add that to the tree or attach to this ticket?

[kencu (Ken)]

I don't think we have to do anything so complicated!

make an openssl11 port from our current port and install it in the right subdir. The current old_openssl PG is all we need to support it.

then update openssl to 3.x, and we are done. 10 minutes max.

I would have done it, but Clemens said he already did the 3.x update.

[reneeotten (Renee Otten)]

Replying to kencu:

I don't think we have to do anything so complicated!

make an openssl11 port from our current port and install it in the right subdir. The current old_openssl PG is all we need to support it.

then update openssl to 3.x, and we are done. 10 minutes max.

I would have done it, but Clemens said he already did the 3.x update.

Even better!

It would be really nice to have this updated so that things like the py-pyqt5-related stuff I've been fiddling around with can be distributed; and I don't need to feel bad that with every change a user has to build it locally again ;)

[kencu (Ken)]

I will get the openssl11 port going then, and once we have that, we should be able to just update openssl to current. PR shortly.

[reneeotten (Renee Otten)]

great, but updating the openssl port to the latest version will require all dependents to be rebuild - should that just be done en masse or for subsets of ports at a time?

[ken-cunningham-webuse]

In 939497411387692d03939323f0e626b728946a4c/macports-ports (master):

openssl11: older version of openssl

similar to openssl10, this port provides openssl 1.1.1,
for ports that may not be compatible with openssl 3.x

to use it, you add the following to the Portfile of
the port you want to force to openssl 1.1 (using botan as an example):

% cat botan-use-openssl1.1.diff
diff --git a/security/botan/Portfile b/security/botan/Portfile
index a6862250901..9f6ab677987 100644
--- a/security/botan/Portfile
+++ b/security/botan/Portfile
@@ -2,6 +2,7 @@

PortSystem 1.0
PortGroup muniversal 1.0

+PortGroup old_openssl 1.0

PortGroup legacysupport 1.0
# for arc4random_buf(), which is missing on 10.6 (Darwin 10)
legacysupport.newest_darwin_requires_legacy 10

@@ -32,6 +33,9 @@ checksums rmd160 f3a4c1b963b47d543430f8705d7db87c64e013b9 \

depends_build port:python27
depends_lib path:lib/libssl.dylib:openssl port:zlib port:bzip2

+openssl.branch 1.1
+openssl.configure build_flags
+

# respect MacPorts configure values
patchfiles-append patch-compiler_flags.diff \

patch-fix-install-with-destdir.diff \

NB: the openssl.branch and openssl.configure options need to be
placed after depends_lib to be properly picked up. That may
be fixed with adding a callback function to the old_openssl PG.

see: #63461

[kencu (Ken)]

That should do it. Almost identical to openssl10, only minor changes.I tried it out with a couple of builds, and it seems right to me.

Please give a try.

The livecheck is not registering right, but it looks like it should once they settle into the move to openssl 3.0, so I'm leaving it like it is for now.

Once we confirm that this reliably supports ports like it did for openssl 1.0, we can the update openssl to 3.0, and use openssl11 as a fallback for those that fail.

At least -- sounds good on paper :>

[kencu (Ken)]

Clemens will update this when he chooses, but if you want to try out openssl 3.0 and see if your various ports build against it, there is a PR here you can try:

​https://github.com/macports/macports-ports/pull/12410

I count a little over 750 ports that will need to be revbumped (some might be doubles, in the python and perl crowd).

[kencu (Ken)]

It didn't take too long to run into some troubles. ruby26 is being a bit of a headache #63550.

and then there is the libressl issue to make sure we consider too.

[mascguy (Christopher Nielsen)]

Changes for OpenSSL 3.0, etc:

​PR 12514 - Add more generic support for OpenSSL versions

[ostefano (Stefano Ortolani)]

I think mysql57 might be affected as well:

:info:configure -- suffixes <.a;.so;.dylib;.tbd>
:info:configure -- OPENSSL_INCLUDE_DIR = /opt/local/libexec/openssl3/include
:info:configure -- OPENSSL_LIBRARY = /opt/local/libexec/openssl3/lib/libssl.a
:info:configure -- CRYPTO_LIBRARY = /opt/local/libexec/openssl3/lib/libcrypto.a
:info:configure -- OPENSSL_MAJOR_VERSION =
:info:configure -- OPENSSL_MINOR_VERSION =
:info:configure -- OPENSSL_FIX_VERSION =
:info:configure CMake Error at cmake/ssl.cmake:247 (MESSAGE):
:info:configure   SSL version must be at least 1.1.1
:info:configure Call Stack (most recent call first):
:info:configure   CMakeLists.txt:568 (MYSQL_CHECK_SSL)
:info:configure -- Configuring incomplete, errors occurred!

Any workaround? Current setup here is:

  openssl @3_0 (active)
  openssl3 @3.0.0_2 (active)
  openssl11 @1.1.1l_5 (active)

[reneeotten (Renee Otten)]

openssl3 changes committed here.

Replying to ostefano:

I think mysql57 might be affected as well:

please open a separate ticket for that.

[conradwt (Conrad Taylor)]

How is this fixed because everything that I attempt to build outside of MacPorts breaks with OpenSSL3 and depends on OpenSSL1.1? I cannot locate openssl_select or any such port at this time. What's the fix for this?

[reneeotten (Renee Otten)]

if you want to compile things outside of MacPorts you'll probably have to specify where it should look for the libraries/includes. You can check where the files are installed with port contents <portname>, where portname is for example openssl11 or openssl3.

[conradwt (Conrad Taylor)]

I'll just set a symlink to use OpenSSL 1.1 until all sources and applications are upgraded to use OpenSSL 3.0